From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 10:44:03 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3F0FD16A407; Tue, 16 Jan 2007 10:44:03 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailout1.pacific.net.au (mailout1-3.pacific.net.au [61.8.2.210]) by mx1.freebsd.org (Postfix) with ESMTP id B705313C44B; Tue, 16 Jan 2007 10:44:02 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailproxy1.pacific.net.au (mailproxy1.pacific.net.au [61.8.2.162]) by mailout1.pacific.net.au (Postfix) with ESMTP id E66A95A0CE6; Tue, 16 Jan 2007 21:44:00 +1100 (EST) Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailproxy1.pacific.net.au (Postfix) with ESMTP id C56898C04; Tue, 16 Jan 2007 21:43:59 +1100 (EST) Date: Tue, 16 Jan 2007 21:43:58 +1100 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: Pawel Jakub Dawidek In-Reply-To: <20070116084243.GA1117@garage.freebsd.pl> Message-ID: <20070116211016.T6114@delplex.bde.org> References: <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> <45AC35A6.7090103@erdgeist.org> <20070116133259.N5056@delplex.bde.org> <20070116084243.GA1117@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org, Dirk Engling , Colin Percival Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 10:44:03 -0000 On Tue, 16 Jan 2007, Pawel Jakub Dawidek wrote: > On Tue, Jan 16, 2007 at 02:42:17PM +1100, Bruce Evans wrote: >> install -S ... >> ... can easily >> be made both safer (actually no-clobber) and securer by opening the file >> with O_EXCL and exiting if the file exists at the time of the open. >> Perhaps cp -f should do the same. (Both have paths where they do a >> forced unlink() followed by an open(). This open() can easily use O_EXCL). > > Interesting. I was sure it won't work as you described, because the > target file can be a symlink and open(2) by default follows symlinks. > I thought that you just forget about O_NOFOLLOW flag, but it seems, that > with O_EXCL open(2) doesn't follow symlinks so it will work. I did forget it. I just assumed that doing the same thing as mkstemp() is as secure as possible, and it is. Old versions of mkstemp() couldn't use O_NOFOLLOW since O_NOFOLLOW has only existed since Y2K. New versions don't use it because it is unnecessary. Exclusive access isn't enough for security since if open() followed a dangling link it would create a security hole with (O_CREAT | O_EXCL). But there is no problem since O_EXCL implies not following symlinks even if O_NOFOLLOW is not supported. This is documented in open(2) and better documented in POSIX. Bruce